Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

This trojan will rewrite your host file to add entries such as this in bold127.0.0.1 www.symantec.comNot allowing you to access AV websitesIf this is the case could you Highlight any line BELOW127.0.0.1 localhost <--don't delete this lineand use the Delete Line(s) button to remove the line

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\system32\5.tmpupdater.pif

Restart back into Normal Mode. Post back with a fresh hijackthis log and a silent runners log.

* Please click this link to download Silent Runners. * Save it to the desktop.* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

DJBenz

Posted 21 August 2005 - 02:46 PM

DJBenz

Member

Topic Starter

Member

20 posts

OK, I looked at the hosts file and it is exactly as it should be. The only modification is one I made, adding an IP and host name of my PC to identify it to my router (currently I'm not using the router as it is being replaced).

5.tmp was not found. Nor was updater.pif but I found a shortcut to 'updater' which threw up an error message if I tried to find the program it was pointing to, so I deleted it.

coachwife6

Posted 22 August 2005 - 08:11 AM

coachwife6

SuperStar

Retired Staff

11,413 posts

Thatman gave me some great instructions. He is awesome.

Important StepGo to Start->Run and type "Services.msc" (without quotes) then hit OkScroll down and find the service called:Windows Product Activation (wpa)When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:O23 - Service: Windows Product Activation (wpa) - Unknown owner - C:\WINNT\system32\wpa.exe (file missing)

The following can be checked in hijack this but please read first.

It's possible that the following are secure downloads and upload software for tranfering large files. This item below is some sort of open source may be Java or visual basic, best that you uninstall this application if you use or need the software he will have to reinstall some of the links are missing.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.C:\WINNT\system32\wpa.exe

DJBenz

Posted 22 August 2005 - 08:20 AM

DJBenz

Member

Topic Starter

Member

20 posts

The following can be checked in hijack this but please read first.

It's possible that the following are secure downloads and upload software for tranfering large files. This item below is some sort of open source may be Java or visual basic, best that you uninstall this application if you use or need the software he will have to reinstall some of the links are missing.

These services are for the license Daemon for my CAD (Computer Aided Design) Software. I am confident that they are not rogue services, and they match the same services running on my work machine where I use the same software. If needs be I can uninstall the software but it would be a major PITA. (6 CD's to re-install!)

The wpa.exe service is gone (because it is disabled), but it is still present in services.msc (if it is running, HJT cannot fix it - if it's disabled HJT doesn't find it.) I still cannot connect to Activescan or Amazon.